The Members – Membership & User Role Editor Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.22 via the members_filter_protected_posts_for_rest. This makes it possible for unauthenticated attackers to extract determine the existence and exact count of access-restricted posts, and use per-page pagination as a boolean oracle to infer keywords and content contained within those hidden restricted posts.
Project Subscriptions
No data.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Sat, 11 Jul 2026 03:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Members – Membership & User Role Editor Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.22 via the members_filter_protected_posts_for_rest. This makes it possible for unauthenticated attackers to extract determine the existence and exact count of access-restricted posts, and use per-page pagination as a boolean oracle to infer keywords and content contained within those hidden restricted posts. | |
| Title | Members <= 3.2.22 - Unauthenticated Sensitive Information Disclosure via REST API Pagination Side Channel | |
| Weaknesses | CWE-200 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2026-07-11T02:31:18.186Z
Reserved: 2026-06-16T17:04:21.226Z
Link: CVE-2026-12426
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses